WO2016031103A1 - Système de sécurité, procédé de sécurité et support lisible par ordinateur - Google Patents

Système de sécurité, procédé de sécurité et support lisible par ordinateur Download PDF

Info

Publication number
WO2016031103A1
WO2016031103A1 PCT/JP2015/002458 JP2015002458W WO2016031103A1 WO 2016031103 A1 WO2016031103 A1 WO 2016031103A1 JP 2015002458 W JP2015002458 W JP 2015002458W WO 2016031103 A1 WO2016031103 A1 WO 2016031103A1
Authority
WO
WIPO (PCT)
Prior art keywords
simulated
layer
host
response
simulation
Prior art date
Application number
PCT/JP2015/002458
Other languages
English (en)
Japanese (ja)
Inventor
角丸 貴洋
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2016544908A priority Critical patent/JP6460112B2/ja
Priority to US15/505,381 priority patent/US20170272466A1/en
Publication of WO2016031103A1 publication Critical patent/WO2016031103A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present invention relates to a network security system, a security method, and a computer-readable medium.
  • Patent Document 1 discloses a communication monitoring system that generates a pseudo host device when it can be presumed to be malicious.
  • the communication monitoring system of Patent Document 1 generates a pseudo response as if the attack was successful for an attack from a malicious attacker.
  • Patent Document 2 discloses an unauthorized intrusion detection device that generates a decoy in a device accessible via a network.
  • the unauthorized intrusion detection apparatus disclosed in Patent Literature 2 detects an intruder by an attacker based on the degree of coincidence between an event pattern of decoy access control and a behavior pattern stored in a behavior pattern database. Specifically, it detects that a targeted attack has occurred by detecting the behavior of the attacker searching the internal network of the organization.
  • Patent Document 1 it must be presumed to be malicious in advance. Therefore, it may not be possible to estimate that a newly developed attack is malicious. Moreover, in patent document 2, when it does not correspond with the behavior pattern stored in the behavior pattern database, an intruder of an attacker cannot be detected. Therefore, there is a case where an attacker's intrusion cannot be detected for a newly developed attack behavior pattern.
  • attackers can attack from anywhere, but defenders must defend against attacks coming from anywhere. Moreover, although the attacker's failure is allowed, the defender's failure is not allowed, and the defender must surely defend all attacks. While attackers can gain insight into the defense network at a fraction of the cost, defenders can spend enormous costs building and maintaining network security. In addition, attackers are more likely to benefit from technological and organizational innovations in cyberspace, while defenders are more likely to be threatened by innovation.
  • attackers have an advantage over defenders due to the nature of cyber security. Therefore, in order to improve network security, it is important to increase the cost advantage of the defender by increasing the attack cost. In other words, security can be improved if a deep defense that minimizes damage can be realized while increasing the cost of an attack by an attacker.
  • An object of the present invention is to provide a security system, a security method, and a program with high security.
  • a security system is a security system that prevents unauthorized intrusion into a network system, a packet receiving unit that receives a packet from an intrusion device that attempts unauthorized intrusion, and a plurality of virtual simulation devices
  • a unique information storage unit for storing the unique information
  • an activation management unit for managing whether to activate the simulation apparatus based on the unique information, and based on a request included in the packet
  • the activation management unit includes: In response to the request to the simulation device, a simulation device management unit that determines whether or not the plurality of activated simulation devices respond, and for each simulation device that is determined to respond in the simulation device management unit
  • a simulated response generation unit that generates a simulated response, and a simulated response transmission unit that transmits the simulated response to the intrusion device.
  • a security system is a security method for preventing unauthorized intrusion into a network system, the step of receiving a packet from an intrusion device attempting to intrude, and a plurality of pre-stored virtual Referencing unique information of the simulation device, managing whether to activate the simulation device, and whether or not the plurality of activated simulation devices respond based on a request included in the packet
  • a program according to an aspect of the present invention is a program for causing a computer to execute a security method for preventing unauthorized intrusion into a network system, and the security method receives a packet from an intrusion device that attempts unauthorized intrusion.
  • a step of managing whether or not to activate the simulation device with reference to specific information of a plurality of virtual simulation devices stored in advance, and activation based on a request included in the packet Determining whether or not a plurality of the simulation devices respond, generating a simulation response in response to the request to the simulation device for each simulation device determined to respond, and Transmitting to the intrusion device.
  • FIG. 1 is a block diagram showing a configuration of a security device according to a first exemplary embodiment. It is a figure which shows the hierarchy of a communication protocol. It is a figure which shows the specific information of the simulation host contained in the simulation response produced according to the search request. It is a block diagram which shows the structure of the security apparatus concerning Embodiment 2. FIG. It is a block diagram which shows the structure of the security system concerning Embodiment 3.
  • Embodiment 1 The security system and the security method according to the present embodiment improve security based on deep defense.
  • the cyber kill chain has attack steps such as intelligence, invasion, hiding, securing bridgeheads, searching, penetration, occupation, seizure and withdrawal.
  • the security system makes various deceptions at each attack step. For example, a group of virtual communication devices (simulated deception) is generated, and ambiguous information, fake information, or unclear information is given to the attacker in the search step or penetration step. It is possible to obstruct or guide the behavior of a malicious attacker, and increase the attack cost for achieving the purpose. That is, the attack cost until the attacker reaches important data can be increased. It is possible to prevent important data such as intellectual property from leaking outside.
  • FIG. 1 is a diagram showing an overall configuration of a security system 100 according to the present embodiment.
  • the security system 100 includes a security device 101, a real network system 120, and a simulated network system 110.
  • the security device 101, the actual network system 120, and the simulated network system 110 are connected to each other via the network 200.
  • the infected apparatus 300 is connected to the network 200 as an attacker.
  • the real network system 120 includes a plurality of real hosts 121, 122, and the like.
  • the real hosts 121 and 122 are actually communication devices (host devices, computers, or communication terminals) that are connected via a network such as a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet. Yes. Although two real hosts 121 and 122 are shown in FIG. 1, the number of real hosts 121 and 122 is not particularly limited.
  • network management information such as a computer name (or NetBIOS name), an IP address, a MAC address, a domain name, a group name, and a network management name is set in the real hosts 121 and 122.
  • the real hosts 121 and 122 are equipped with an OS (Operating System) such as Windows (registered trademark) or Linux (registered trademark).
  • OS Operating System
  • Windows registered trademark
  • Linux registered trademark
  • the security device 101 generates a simulated network system 110.
  • the simulated network system 110 includes a plurality of simulated hosts 111 to 114.
  • the simulated hosts 111 to 114 are virtual communication devices (virtual host devices), that is, communication devices that do not exist.
  • the security device 101 generates simulated hosts 111 to 114 in the same manner as the virtual honeypot.
  • the security device 101 makes various deceptions and makes it appear as if the simulated hosts 111 to 114 that do not actually exist exist.
  • the security device 101 can be configured by a real host that actually exists.
  • the security device 101 executes the security method according to the present embodiment by a network security program installed in the security device 101.
  • the security device 101 may be a dedicated computer, or a computer included as a real host in the real network system 120 may be used.
  • the security device 101 is not limited to a physically single device, and may be configured by a plurality of devices.
  • the attack cost until the infected device 300 steals important data is increased. Since the security device 101 virtually generates the simulated hosts 111 and 112, the number of simulated hosts can be increased at a low cost. Generating a large number of simulated hosts 111 and 112 makes it easier to deceive an attacker. Note that the number of simulated hosts 111 to 114 generated by the security device 101 is not particularly limited. Since the security device 101 generates more simulations, the attack cost can be further increased.
  • the security system 100 prevents unauthorized intrusion from the infected apparatus 300.
  • the infected device 300 is a communication device (host) infected with malware.
  • the infecting device 300 attempts unauthorized intrusion into the real network system 120 by remote control from the outside.
  • the infected apparatus 300 tries to steal important data from the real hosts 121 and 122 included in the real network system 120.
  • the intrusion device attempting to intrude into the actual network system 120 is not limited to the infected device 300 infected with malware, but may be an external communication device connected via an external network such as the Internet.
  • the security device 101, the infection device 300, and the real network system 120 are connected via the network 200.
  • the security device 101 or the real hosts 121 and 122 may be connected to the network 200 via a firewall.
  • FIG. 2 is a block diagram schematically showing the configuration of the security device 101.
  • the security device 101 includes a packet receiving unit 11, a packet delivery unit 12, a broadcast packet processing unit 13, a unicast packet processing unit 14, a search request determination unit 15, a simulated host management unit 16, a unique information storage unit 17, and a simulated host activation management. 18, a simulated response generation unit 19, a simulated response template storage unit 20, a simulated response transmission control unit 21, a simulated response transmission queue 22, and a simulated response transmission unit 23.
  • processing of each unit will be described.
  • the packet receiving unit 11 receives a packet flowing on the network 200.
  • the packet receiving unit 11 receives a packet when the transmission destination address of the packet is a predetermined address.
  • the packet receiving unit 11 receives a packet from the infected apparatus 300 that attempts an unauthorized intrusion.
  • the packet delivery unit 12 determines the type of the received packet received by the packet receiving unit 11. Specifically, the packet delivery unit 12 determines whether the packet is a broadcast packet or a unicast packet. The packet delivery unit 12 delivers the broadcast packet to the broadcast packet processing unit 13 and delivers the unipacket to the unicast packet processing unit 14. Further, the packet delivery unit 12 refers to the unique information storage unit 17 and identifies whether or not the transmission destination address is included in the addresses of the simulated hosts 111 to 114.
  • a unicast packet is a packet for specifying a single address and performing one-to-one data communication.
  • the broadcast packet is a packet for specifying a broadcast address and performing one-to-unspecified many data communication.
  • the broadcast packet includes a message for all of the real hosts 121 and 122 and the simulated hosts 111 to 114.
  • the infected apparatus 300 transmits a broadcast packet and tries to acquire information on the real hosts 121 and 122 in the real network system 120.
  • the broadband cast packet may be a multicast packet.
  • the packet delivery unit 12 may deliver the multicast packet to the broadcast packet processing unit 13. Then, the broadcast packet processing unit 13 may process the multicast packet.
  • the security device 101 may include a multicast packet processing unit.
  • a multicast packet is a packet for performing one-to-multiple data communication.
  • the infection apparatus 300 transmits a broadcast packet including a search message such as a search for a communication apparatus (host) or a search for a network service as a broadcast search request (see FIG. 1).
  • the search request message is a NetBIOS Name Service (NBNS) message.
  • the real hosts 121 and 122 or the simulated hosts 111 to 114 transmit a response to the search request to the infected apparatus 300 as a unicast search response.
  • the infected apparatus 300 transmits a unicast negotiation request to a specific host.
  • the message of this request is SMB (Server Message Block).
  • the simulated hosts 111 to 114 or the real hosts 121 and 122 transmit a unicast negotiation response to the infected apparatus 300. More specifically, the infected device 300 transmits a unicast negotiation request in response to a response to the previous broadcast search request. In the example of FIG. 1, only one unicast negotiation is shown. However, in the configuration of FIG. 1, six unicasts from the real hosts 121 and 122 and the simulated hosts 111 to 114 may be performed. When the infected device 300 receives a cast search response, unicast negotiation is performed in order for all six requests. Furthermore, a plurality of sequences may be performed for one host, and this is performed for the host.
  • the infected device 300 When the session is established, the infected device 300 tries to share a file with the host device. Specifically, the infected apparatus 300 tries to share a file by SMB (Server Message Block). In this way, the infected device 300 tries to steal data.
  • SMB Server Message Block
  • the unique information storage unit 17 stores unique information of the plurality of virtual simulated hosts 111 to 114.
  • the unique information is information necessary for the simulated host to be simulated, and is set for each simulated host.
  • the simulated host activation management unit 18 manages activation of the simulated hosts 111 to 114 based on the unique information.
  • the simulated host management unit 16 manages the simulated hosts 111 to 114 based on the unique information.
  • the simulated host management unit 16 and the simulated host activation management unit 18 will be described later.
  • Specific information includes, for example, a computer name (or NetBIOS name), an IP address, a MAC address, a domain name, OS information (for example, an OS name and an OS version), a group name, a network management name, and the like.
  • the unique information storage unit 17 stores, for example, unique information of the plurality of simulated hosts 111 to 114 as a table. Further, the unique information storage unit 17 may store the network distance of the simulated hosts 111 to 114 for each simulated host. The unique information storage unit 17 stores unique information equivalent to the network management information of the real hosts 121 and 122 as unique information of the simulated hosts 111 to 114.
  • a simulated host having the same management information as the information held by the real hosts 121 and 122 may be registered in the unique information storage unit 17.
  • the unique information of the simulated host 111 is matched with, for example, the computer name (or NetBIOS name), IP address, MAC address, OS information, domain name, group name, network management name, etc. of the real host 121. By doing so, it is possible to make it appear as if the real host 121 exists even when the real host 121 is stopped.
  • a simulation host that is completely unrelated to the real hosts 121 and 122 may be registered in the unique information storage unit 17.
  • the broadcast packet processing unit 13 passes the broadcast packet to the simulated host management unit 16 as it is.
  • the unicast packet processing unit 14 determines whether the unicast packet is a TCP (Transmission Control Protocol) packet or a UDP (User Datagram Protocol) packet. In the case of a TCP packet, the unicast packet processing unit 14 performs a three-way handshake and passes the payload to the search request determination unit 15. On the other hand, in the case of a UDP packet, the unicast packet processing unit 14 passes the UDP packet as it is to the simulated host management unit 16.
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • the search request determination unit 15 determines whether a search request is included in the received packet. For example, the search request determination unit 15 determines whether the message is a search message for searching for a communication device (host device), a search for a network service, or a message for acquiring information details such as session negotiation. The search request determination unit 15 determines whether a message belonging to the search is included in the payload of the TCP packet.
  • the search request determination unit 15 determines that there is a search request when a message belonging to the search is included. Then, the search request determination unit 15 passes the message belonging to the search to the simulated host management unit 16 as a search request. Thus, the search request determination unit 15 determines whether or not the message included in the received packet is a search message (search request). Then, the search request determination unit 15 passes only the search request and does not pass any request other than the search request. For example, a message requesting file sharing is not allowed to pass. Since the search request determination unit 15 has such a determination function and a filtering function, leakage of important data can be prevented.
  • the search request determination unit 15 determines whether there is a search request using, for example, a white list. That is, only a message registered in the list in advance is passed as a search request to the simulated host management unit 16. In this way, malicious attacks can be filtered and security can be increased.
  • the white list can be set in combination with various types of unique information of the simulated host.
  • the reach of the sequence that succeeds for each simulated host changes. Therefore, deception that is easier to deceive can be set.
  • the simulated host activation management unit 18 refers to the specific information accumulation unit 17 and manages whether to activate or not activate each of the simulated hosts. That is, the simulated host activation management unit 18 manages whether to activate the simulation apparatus based on the unique information. The simulated host activation management unit 18 determines whether to activate or stop each of the simulated hosts 111 to 114 included in the unique information storage unit 17.
  • the simulated host activation management unit 18 manages the activation of the simulated host with an external request as a trigger. Specifically, upon receiving a request (activation request) for turning on the simulated host 111, the simulated host activation management unit 18 activates the simulated host 111. When receiving a request (stop request) for turning off the simulated host 111, the simulated host activation management unit 18 stops the activation of the simulated host 111. Then, the simulated host activation management unit 18 outputs activation information indicating whether or not each simulated host is activated to the simulation host management unit 16. The simulated host activation management unit 18 independently manages activation of a plurality of simulated hosts included in the unique information storage unit 17. The simulated host activation management unit 18 can dynamically change the activated simulated host.
  • the simulated host management unit 16 manages the simulated host to be simulated based on the activation information from the simulated host activation management unit 18. That is, the simulated host management unit 16 determines whether the simulated host makes a simulated response. For example, when there is a request for a running simulation host, the simulation host management unit 16 determines to make a response. On the other hand, for the suspended simulated host, it is determined that the simulated response is not performed. In the following description, an example in which the simulated host 113 is activated and the simulated host 112 is stopped will be described.
  • the simulated host management unit 16 refers to the specific information storage unit 17 and determines whether or not to respond in response to the search request. For example, the simulated host management unit 16 specifies a simulated host that makes a response based on the transmission destination address included in the received packet. That is, the simulated host management unit 16 determines that a simulated host having an address that matches the destination address included in the received packet responds. When a broadcast packet is received, the simulated host management unit 16 determines that all the activated simulated hosts respond.
  • the simulated host management unit 16 determines that a simulated response is to be performed for the simulated host that is the target of the search request. With reference to the packet transmission destination address, it is determined whether or not the simulated host is a search request target. The simulated host management unit 16 determines whether or not the simulated host responds based on the comparison result between the transmission destination address and the unique information and the determination result in the search request determination unit 15. The simulated host management unit 16 determines whether or not a response is required for each activated simulated host.
  • the simulated host management unit 16 determines that a simulated response is made as if the simulated host 113 exists when the active simulated host 113 receives a search request. On the other hand, if the simulated host management unit 16 is not a running simulated host, if a search request is not included in the packet, or if it is not a simulated host that is the target of the search request, the simulated host management unit 16 determines not to perform a simulated response . The simulated host management unit 16 stops the simulated host 112 from responding to the suspended simulated host 112. Furthermore, even if the simulation host is active, if it does not receive a search request, a simulated response is not made. The simulated host management unit 16 determines that a response is required for all of the activated simulated hosts that are targets of the search request.
  • an external request to the simulated host activation management unit 18 can be realized by a setting file, API (Application Programming Interface), IF (Interface), or the like.
  • the setting file is, for example, preset schedule data. For example, the start time and stop time are set for each simulated host.
  • the security device 101 may store a setting file. Further, the simulated host activation management unit 18 may manage the activation of the simulated host according to a request from the real host.
  • the simulated host activation management unit 18 will be described.
  • the same address or the like as that of the real host 121 is registered in the simulated host 111 in the unique information storage unit 17.
  • information for constructing the simulated host 111 corresponding to the real host 121 is stored in the simulated host activation management unit 18 in advance or upon request. That is, unique information obtained by copying the management information of the real host 121 is set in the simulated host 111.
  • the simulated host activation management unit 18 stops the activation of the simulated host 111.
  • the real host 121 is OFF, the simulated host activation management unit 18 activates the simulated host 111.
  • the simulated host activation management unit 18 instructs activation of the simulated host 111.
  • the simulated host activation management unit 18 instructs the simulated host 111 to stop at the timing when the real host 121 is activated.
  • the simulated host activation management unit 18 stops / activates the simulated host 111 using ON / OFF of the real host 121 as a trigger. Even in a situation where the real host 121 is disconnected from the network 200, the simulated host 111 exists on the network 200. By doing in this way, it is possible to set a deception that makes it easier for an attacker to deceive. From the infected device 300, it looks as if the real host 121 exists. Thus, the simulated host activation management unit 18 may manage the activation of the simulated host 111 according to whether the real host 121 is activated.
  • the simulated response template storage unit 20 stores a simulated response template corresponding to the search request.
  • the simulated response template storage unit 20 holds the message format by hard coding.
  • the simulated response template storage unit 20 stores a message format of the response sentence.
  • the simulated response template storage unit 20 stores a template for each request or protocol.
  • the simulated response template storage unit 20 stores a message response sentence corresponding to the requested service as a template.
  • the simulated response template storage unit 20 stores a plurality of templates.
  • the simulated response generation unit 19 creates a simulated response in response to a request from the simulated host management unit 16.
  • the simulated response generation unit 19 When the simulated host management unit 16 determines to respond, the simulated response generation unit 19 generates a simulated response in response to a request to the simulated host.
  • the simulated response generation unit 19 refers to the template stored in the simulated response template storage unit 20. As a result, the simulated response generation unit 19 can create an appropriate simulated response message in response to the request.
  • the simulated response generation unit 19 acquires the specific information of the simulated host that should respond from the specific information storage unit 17. Then, the simulated response generation unit 19 generates a simulated response message by combining the unique information and the response message format. That is, the simulated response generation unit 19 generates a simulated response message by including the address and OS information included in the unique information in the message format. That is, the simulated response generation unit 19 generates a simulated response message including simulated information regarding the simulated host 111. As a result, deception that is easier to deceive can be set.
  • the simulated response template storage unit 20 stores templates according to services that can be used by the simulated hosts 111 to 114. Furthermore, when the simulated host 111 and the simulated host 112 can use the same service, the simulated response generation unit 19 creates a simulated response message between the simulated host 111 and the simulated host 112 using a common template. Further, the simulated response template storage unit 20 stores response templates for all messages included in the white list of the search request determination unit 15. As the types of templates increase, the types of requests that can be handled increase. Further, the content set in the white list does not need to match the simulated response template storage unit 20 and may be set independently. For example, the message set in the white list may be such that only a part of the template can be used.
  • the simulated response transmission queue 22 queues the simulated response message created by the simulated response generation unit 19.
  • the simulated response transmission unit 23 transmits the simulated response message queued in the simulated response transmission queue 22 to the infection apparatus 300 as a simulated response.
  • the simulated response transmission unit 23 transmits a simulated response by a packet having the destination address of the infected device 300 as a transmission destination address.
  • the simulated response message stored in the simulated response transmission queue 22 is transmitted to the network via the simulated response transmission unit 23 according to an instruction from the simulated response transmission control unit 21. That is, the simulated response transmission unit 23 controls the transmission timing of the simulated response in the simulated response transmission unit 23.
  • the simulated response transmission unit 23 transmits a simulated response message to the infecting device 300 via the network 200 at a timing according to an instruction from the simulated response transmission control unit 21.
  • the simulated response transmission control unit 21 controls the transmission timing of the simulated responses stored in the simulated response transmission queue 22.
  • the simulated response transmission control unit 21 controls, for example, to transmit the simulated response message in the order of the queue.
  • the simulated response transmission control unit 21 may perform control so that the simulated response message is randomly transmitted.
  • the simulated response transmission control unit 21 may transmit a simulated response message according to the pattern.
  • the simulated response transmission control unit 21 can control the transmission order of the simulated responses.
  • the simulated response transmission unit 23 transmits the simulated response in the simulated response transmission queue 22 to the network 200 based on an instruction from the simulated response transmission control unit 21.
  • the simulated response generator 19 upon receiving a search request broadcast message, the simulated response generator 19 generates a simulated response message for the active simulated host. Then, the simulated response transmission queue 22 queues the simulated response messages in the order of the simulated hosts stored in the unique information storage unit 17. For example, the simulated response transmission queue 22 queues the simulated response messages in the order of the simulated host 111, the simulated host 112, the simulated host 113, and the simulated host 114. Then, the simulated response transmission unit 23 transmits the simulated response message in the queue order. Alternatively, the simulated response transmission unit 23 may transmit the simulated response messages in a random order.
  • the simulated response transmission unit 23 may transmit a simulated response message according to the response timing. Further, the simulated response transmission unit 23 may transmit the simulated response message in the order or timing according to a preset schedule.
  • the simulated response transmission control unit 21 controls the timing of the simulated response in the simulated response transmission unit 23 for each simulated host.
  • the response timing may be set according to the network distance stored in the unique information storage unit 17. That is, for the simulated host having a long network distance, the simulated response transmission control unit 21 delays the response timing. For the simulated host having a short network distance, the simulated response transmission control unit 21 speeds up the response timing.
  • the simulated response transmission control unit 21 refers to the specific information storage unit 17 and sets a delay time according to the network distance. In this manner, the simulated response transmission control unit 21 controls the transmission timing of the simulated response message, so that it appears to the infected apparatus 300 as if the simulated hosts 111 to 114 exist. That is, it is possible to set a deception that makes it easier for an attacker to deceive.
  • the communication protocol of the network 200 has a layer configuration as shown in FIG. 3, for example.
  • the communication functions are defined in nine layers as shown in FIG. Physical layer as first layer, data link layer as second layer, network layer as third layer, transport layer as fourth layer, session layer as fifth layer, presentation layer as sixth layer, application layer as seventh layer
  • the service layer is defined as the eighth layer
  • the operation layer is defined as the ninth layer.
  • the 7 layers from the physical layer to the application layer are known OSI reference models. Furthermore, a service layer and an operation layer are provided above the application layer.
  • the service layer is a layer that assumes a service by an application.
  • the operation layer is a layer that assumes information set in operation such as a computer name.
  • the simulated response generation unit 19 creates a simulated response message including information related to application services and information related to computer operations when application software is actually used.
  • a simulated response message corresponding to the session layer, presentation layer, application layer, service layer, and operation layer, which are higher layers than the transport layer is also transmitted.
  • the simulated response only needs to include simulated information regarding at least one of the session layer, the presentation layer, the application layer, the service layer, and the operation layer.
  • the simulated response generation unit 19 generates a simulated response including information related to a layer higher than the network layer.
  • the simulated response generation unit 19 includes a simulated response message including information on the session layer, a simulated response message including information on the session layer and the presentation layer, and a simulated response including information on the session layer, the presentation layer, and the application layer.
  • a simulated response message including information on the message, the session layer, the presentation layer, the application layer, and the service layer, or a simulated response message including information on the session layer, the presentation layer, the application layer, the service layer, and the operation layer is generated.
  • the simulated response message it is preferable to include information on one or more layers of the application layer, service layer, and operation layer in the simulated response message. It also contains information about application services and computer operations. By including such hierarchical information, it is possible to transmit a simulated response that is easier to deceive.
  • the infected apparatus 300 can be surely deceived. That is, by including information equivalent to the case where the real hosts 121 and 122 are searched for in the simulated response message, the simulated host looks like a real host from the infected apparatus 300. As a result, it is possible to set a deception that makes it easier for an attacker to deceive. Therefore, attack costs can be increased and security can be improved.
  • the simulated response generation unit 19 generates a simulated response message including information on all layers.
  • the template stored in the simulated response template storage unit 20 includes information about all layers.
  • the security device 101 performs a simulated response of the negotiation part for a plurality of simulated hosts. Then, a session between the infected apparatus 300 and a plurality of simulated hosts is established. Therefore, it appears to the infected device 300 as if there are a large number of simulated hosts on the network. The security device 101 does not make a simulated response for the actual function (service) after the session is established by negotiation. Thereby, leakage of important data due to file sharing or the like can be prevented. Therefore, security can be improved.
  • the unique information storage unit 17 has unique information of a plurality of simulated hosts.
  • the simulated host activation management unit 18 manages activation of a plurality of simulated hosts based on the unique information. Based on the request included in the packet, the simulated host management unit 16 determines whether or not a plurality of simulated hosts activated by the simulated host activation management unit 18 respond.
  • the simulated response generator 19 generates a simulated response for each simulated host, and the simulated response transmitter 23 transmits the simulated response. By doing this, it is possible to make it appear as if the simulated host exists. That is, the illusion of the simulated network system 110 having a plurality of simulated hosts can be shown to the infected device 300.
  • the simulated response transmission control unit 21 controls the transmission timing of the simulated response. Therefore, deception that is easier to deceive can be set. Further, only when the search request determination unit 15 is a search request, the request is passed, and requests other than the search (for example, file sharing requests) are filtered. Thereby, leakage of important data can be prevented. Further, the search request determination unit 15 may dynamically change the request to pass. That is, the search request determination unit 15 may dynamically change the threshold value for determining whether or not to pass.
  • the security device 101 generates a plurality of simulated hosts 111 to 114 regardless of whether or not the communication device that is the transmission source of the packet is a malicious attacker. Therefore, it is not necessary to detect whether the malicious party is an attacker. Therefore, security against a clever attack concealing malicious intent can be improved.
  • the unique information storage unit 17 By increasing the number of simulated hosts stored in the unique information storage unit 17, it is possible to make the attacker easy to deceive. Furthermore, it is possible to easily deceive an attacker by appropriately setting the information stored in the unique information storage unit 17. For example, as the address stored in the unique information storage unit 17, an address suitable for the network in which the IP address is set may be used, or may be acquired from an actual DHCP server existing in the network by DHCP. In addition, when the configuration of vendor code + number is used for the MAC address, it can be generated along this configuration.
  • the domain name if the same character string is used for each domain, it is preferable to set the character string used in the actual network system.
  • the same character string as the group name of the actual network system 120 can be used for the group name.
  • group names can be set to form several groups.
  • OS name and the network management name any one of the existing finite variations may be selected.
  • FIG. 4 is a diagram showing information on the simulated host acquired by the infection apparatus 300 in the search request.
  • the infection apparatus 300 acquires the simulated host IP address, NETBIOS, group name, OS, and OS version by the SMB protocol (findSMB).
  • FIG. 4 shows the unique information of the six simulated hosts acquired by the search request of the infected apparatus 300. In this way, by providing information regarding a plurality of simulated hosts to the infecting device 300, it is possible to increase the attack cost until the external intruder reaches the target data. Therefore, the cost advantage on the defense side can be increased and high security can be realized.
  • the simulated response generation unit 19 refers to the template stored in the simulated response template storage unit 20 to create the simulated response message.
  • the simulated response message may be automatically created.
  • the real host 121 or the security device 101 may create a response message for the requested service and replace some information with information about the simulated host.
  • an access recording unit that records the access from the infected apparatus 300 may be provided. That is, the received packet, that is, information regarding the received request is recorded.
  • the security apparatus 101 uses this access information for detection of unauthorized intrusion, incident response, forensic analysis, and the like.
  • FIG. 5 is a block diagram illustrating a configuration of the security device 101. Note that the overall configuration of the security system 100 is the same as that of the first embodiment, and thus the description thereof is omitted.
  • the transmission source determination unit 24 is added to the configuration of the security device 101 according to the second embodiment and the first embodiment.
  • the configuration other than the transmission source determination unit 24 is the same as the configuration described in the first embodiment, and thus the description thereof is omitted.
  • the transmission source determination unit 24 determines the transmission source of the received packet. For example, the security device 101 detects that the infected device 300 is a malicious attacker while the infected device 300 is searching. Alternatively, another detection device (real host) may detect unauthorized intrusion and notify the security device 101 of the detection. When it is detected that the security device 101 is a malicious attacker, the transmission source determination unit 24 extracts the transmission source address of the infected device 300. Then, the information of the transmission source address is transmitted to the simulated host management unit 16. The simulated host management unit 16 manages the simulated host for a specific transmission source. That is, the simulated host management unit 16 manages the simulated host so that a simulated response is sent only to a malicious transmission source.
  • the simulated hosts 111 and 112 can be seen only from the infected apparatus 300.
  • the simulated host cannot be seen from a normal communication device that is not malicious.
  • the simulated host does not respond to a request from a normal communication device. Therefore, in this embodiment, it becomes possible to suppress the influence on a normal communication apparatus.
  • Embodiment 3 FIG. A security system according to this embodiment will be described.
  • the security system is a security system that prevents unauthorized intrusion into a network system, and stores a packet receiving unit 51 that receives packets from an intrusion device that attempts unauthorized intrusion and unique information of a plurality of virtual simulation devices.
  • a unique information storage unit 52 ; a start management unit 53 that manages whether or not to start the simulation device based on the unique information; and a plurality of items that the start management unit starts based on a request included in the packet
  • a simulation response is generated in response to the request to the simulation device for each simulation device determined to respond in the simulation device management unit, and the simulation device management unit 54 that determines whether or not the simulation device responds
  • a simulated response transmission unit 56 that transmits the simulated response to the intrusion device.
  • this security system 100 it is possible to set a deception that makes it easier for a malicious attacker to deceive. Therefore, the attack cost can be increased and high security can be realized. It is possible to appropriately combine or replace the configurations of the first and second embodiments with the configuration of the third embodiment.
  • Non-transitory computer readable media include various types of tangible storage media.
  • Examples of non-transitory computer-readable media include magnetic recording media (for example, flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (for example, magneto-optical disks), CD-ROM (Read Only Memory), CD-R, CD-R / W, semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable ROM), flash ROM, RAM (Random Access Memory)) are included.
  • the program may also be supplied to the computer by various types of temporary computer readable media.
  • Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves.
  • the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention vise à pourvoir à un système de sécurité à haute sécurité, un procédé de sécurité et un programme. Selon un mode de réalisation, un système de sécurité comprend : une unité de réception de paquets qui reçoit des paquets en provenance d'un dispositif infecté (300) ; une unité d'accumulation d'informations de caractéristiques (17) qui mémorise des informations de caractéristiques correspondant à une pluralité de dispositifs simulés virtuels ; une unité de gestion de démarrage d'hôtes simulés (18) qui décide s'il convient de démarrer des hôtes simulés (111-114) sur la base desdites informations de caractéristiques ; une unité de gestion d'hôtes simulés (16) qui se base sur des demandes contenues dans les paquets pour déterminer si une pluralité d'hôtes simulés (111-114) démarrés par l'unité de gestion d'hôtes simulés (16) doivent répondre ; une unité de génération de réponses simulées (19) qui génère, pour chaque hôte simulé qui doit répondre selon la détermination de l'unité de gestion d'hôtes simulés (16), une réponse simulée conforme à la demande adressée à cet hôte simulé ; et une unité de transmission de réponses simulées (23) qui transmet les réponses simulées au dispositif infecté (300).
PCT/JP2015/002458 2014-08-25 2015-05-15 Système de sécurité, procédé de sécurité et support lisible par ordinateur WO2016031103A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2016544908A JP6460112B2 (ja) 2014-08-25 2015-05-15 セキュリティシステム、セキュリティ方法およびプログラム
US15/505,381 US20170272466A1 (en) 2014-08-25 2015-05-15 Security system, security method, and computer-readable medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014-170368 2014-08-25
JP2014170368 2014-08-25

Publications (1)

Publication Number Publication Date
WO2016031103A1 true WO2016031103A1 (fr) 2016-03-03

Family

ID=55399029

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/002458 WO2016031103A1 (fr) 2014-08-25 2015-05-15 Système de sécurité, procédé de sécurité et support lisible par ordinateur

Country Status (3)

Country Link
US (1) US20170272466A1 (fr)
JP (1) JP6460112B2 (fr)
WO (1) WO2016031103A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018079716A1 (fr) * 2016-10-27 2018-05-03 国立大学法人名古屋工業大学 Dispositif de communication
EP3577589A4 (fr) * 2016-12-08 2020-12-02 Cequence Security, Inc. Prévention d'attaques automatisées malveillantes sur un service web
US10868830B2 (en) 2015-05-27 2020-12-15 Nec Corporation Network security system, method, recording medium and program for preventing unauthorized attack using dummy response

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016189843A1 (fr) * 2015-05-27 2016-12-01 日本電気株式会社 Système de sécurité, procédé de sécurité et support d'enregistrement pour stocker un programme
WO2018020299A1 (fr) 2016-07-29 2018-02-01 Chan Kam Fu Procédés de compression et de décompression sans perte
CN110896388B (zh) * 2018-09-12 2022-07-05 西门子(中国)有限公司 网络流量分析方法、装置、计算机可读介质

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140101724A1 (en) * 2012-10-10 2014-04-10 Galois, Inc. Network attack detection and prevention based on emulation of server response and virtual server cloning
US9495180B2 (en) * 2013-05-10 2016-11-15 Fireeye, Inc. Optimized resource allocation for virtual machines within a malware content detection system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAKAHIRO KAKUMARU ET AL.: "Deceptive Defense Architecture toward Protection against APT", IEICE TECHNICAL REPORT, ISEC2014-15, vol. 114, no. 118, 3 July 2014 (2014-07-03), pages 69 - 74 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10868830B2 (en) 2015-05-27 2020-12-15 Nec Corporation Network security system, method, recording medium and program for preventing unauthorized attack using dummy response
WO2018079716A1 (fr) * 2016-10-27 2018-05-03 国立大学法人名古屋工業大学 Dispositif de communication
EP3577589A4 (fr) * 2016-12-08 2020-12-02 Cequence Security, Inc. Prévention d'attaques automatisées malveillantes sur un service web
US11483345B2 (en) 2016-12-08 2022-10-25 Cequence Security, Inc. Prevention of malicious automation attacks on a web service

Also Published As

Publication number Publication date
US20170272466A1 (en) 2017-09-21
JP6460112B2 (ja) 2019-01-30
JPWO2016031103A1 (ja) 2017-06-15

Similar Documents

Publication Publication Date Title
JP6460112B2 (ja) セキュリティシステム、セキュリティ方法およびプログラム
JP6690644B2 (ja) セキュリティシステム、セキュリティ方法、及びプログラムを記憶する記録媒体
US10091238B2 (en) Deception using distributed threat detection
US10193924B2 (en) Network intrusion diversion using a software defined network
JP6693516B2 (ja) セキュリティシステム、セキュリティ方法、及びプログラムを記憶する記録媒体
KR101369727B1 (ko) 캡차를 기반으로 하는 트래픽 제어 장치 및 그 방법
Osanaiye Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing
US20170264590A1 (en) Preventing dns cache poisoning
KR20130046895A (ko) Arp 스푸핑 공격 탐지 시스템 및 방법
Arukonda et al. The innocent perpetrators: reflectors and reflection attacks
TWI506472B (zh) 網路設備及其防止位址解析協定報文攻擊的方法
CN106797378B (zh) 用于控制通信网络的装置和方法
US20170093911A1 (en) Customized information networks for deception and attack mitigation
JP2013009185A (ja) 通信監視システム及び方法及び通信監視装置及び仮想ホスト装置及び通信監視プログラム
WO2013176711A2 (fr) Procédés, systèmes et supports pour empêcher des attaques sur des dispositifs embarqués
CN111800401A (zh) 业务报文的防护方法、装置、系统和计算机设备
CN112688900A (zh) 一种防御arp欺骗和网络扫描的局域网安全防护系统及方法
CN112738002A (zh) 一种基于虚实结合的搭建工控蜜网的技术
Rahman et al. Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm
US20150326590A1 (en) Interdicting undesired service
US20220103582A1 (en) System and method for cybersecurity
Narwal et al. Game-theory based detection and prevention of DoS attacks on networking node in open stack private cloud
EP2815350A2 (fr) Procédés, systèmes et supports pour empêcher des attaques sur des dispositifs embarqués
TWI738900B (zh) 網路防護系統、方法、裝置及伺服器
Chang et al. A study on the IP spoofing attack through proxy server and defense thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15835925

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016544908

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 15505381

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15835925

Country of ref document: EP

Kind code of ref document: A1